Re: lprng

To: Ron Rademaker <ron@wep10a-1.wep.tudelft.nl>, "V. Achiaga" <sidboy37@casal.upc.es>
Cc: debian-security@list.debian.org, debian-security@lists.debian.org
Subject: Re: lprng
From: Philipe Gaspar <kr0n@uol.com.br>
Date: Fri, 12 Jan 2001 20:18:06 -0200
Message-id: <[🔎] 01011220180600.00293@hour>
In-reply-to: <[🔎] Pine.LNX.4.21.0101101043030.767-100000@neo>
References: <[🔎] Pine.LNX.4.21.0101101043030.767-100000@neo>
Hey,
What u mean debian-specific patch?

On Wednesday 10 January 2001 07:44, Ron Rademaker wrote:
> I know there's a debian package of lprng, but I don't know if the patch
> you're talking about is applied to this package, I guess you should check
> the changelog to find out.
>
> Ron Rademaker
>
> On Wed, 10 Jan 2001, V. Achiaga wrote:
> > Does anyone know where can I find a debian-specific patch for the
> > lprng package?
> >
> > Thanks in advance.
> >
> > Why? Just read the following...
> >
> > > Subject: CERT Advisory CA-2000-22
> > >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > CERT Advisory CA-2000-22 Input Validation Problems in LPRng
> > >
> > >    Original release date: December 12, 2000
> > >    Last updated: --
> > >    Source: CERT/CC
> > >
> > >    A complete revision history is at the end of this file.
> > >
> > > Systems Affected
> > >
> > >      * Systems running unpatched LPRng software
> > >
> > > Overview
> > >
> > >    A popular replacement software package to the BSD lpd printing
> > > service called LPRng contains at least one software defect, known as a
> > > "format string vulnerability,"[1] which may allow remote users to
> > > execute arbitrary code on vulnerable systems.
> > >
> > > I. Description
> > >
> > >    LPRng, now being packaged in several open-source operating system
> > >    distributions, has a missing format string argument in at least two
> > >    calls to the syslog() function.
> > >
> > >    Missing format strings in function calls allow user-supplied
> > > arguments to be passed to a susceptible *snprintf() function call.
> > > Remote users with access to the printer port (port 515/tcp) may be able
> > > to pass format-string parameters that can overwrite arbitrary addresses
> > > in the printing service's address space. Such overwriting can cause
> > > segmentation violations leading to denial of printing services or to
> > > the execution of arbitrary code injected through other means into the
> > > memory segments of the printer service.
> > >
> > >    Sample syslog entries from successful exploitation of this
> > >    vulnerability have been reported, as follows:
> > >
> > > Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
> > > 'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
> > > XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301
> > > $nsecurity%302$n%.192u%303$n
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >} {90}{90}
> > > 1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89
> > >}
> > > ]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7
> > >} E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
> > > M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
> > > ?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
> > > E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{
> > >A}'
> > >
> > >    This vulnerability has been assigned the identifier CAN-2000-0917 by
> > >    the Common Vulnerabilities and Exposures (CVE) group:
> > >
> > >           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
> > >
> > >    The CERT/CC has received reports of extensive probing to port
> > > 515/tcp. In addition, we have received some reports of systems
> > > compromised using this vulnerability. Tools exploiting this
> > > vulnerability have been posted to public forums.
> > >
> > > II. Impact
> > >
> > >    A remote user may be able to execute arbitrary code with elevated
> > >    privileges.
> > >
> > >    In addition, the printing service may be disrupted or disabled
> > >    entirely.
> > >
> > > III. Solution
> > >
> > > Apply a patch from your vendor
> > >
> > >    Upgrade to a non-vulnerable version of LPRng (3.6.25), as described
> > > in the vendor sections below. Alternately, you can obtain the version
> > > of LPRng which fixes the missing format string at:
> > >
> > >           ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
> > >
> > > Disallow access to printer service ports (typically 515/tcp) using
> > > firewall or packet-filtering technologies
> > >
> > >    Blocking access to the vulnerable service will limit your exposure
> > > to attacks from outside your network perimeter. However, the
> > >    vulnerability would still allow local users to gain privileges they
> > >    normally shouldn't have; in addition, blocking port 515/tcp at a
> > >    network perimeter would still allow any remote user inside the
> > >    perimeter to exploit the vulnerability.
> > >
> > > Appendix A. Vendor Information
> > >
> > > Apple
> > >
> > >    Apple has conducted an investigation and determined that Mac OS X
> > >    Public Beta and Mac OS X Server do not use LPRng and are therefore
> > > not vulnerable to this exploitation.
> > >
> > > Caldera OpenLinux
> > >
> > >    See CSSA-2000-033.0 "format bug in LPRng" at:
> > >
> > >          
> > > http://www.calderasystems.com/support/security/advisories/CSSA-
> > > 2000-033.0.txt
> > >
> > > Compaq Computer Corporation
> > >
> > >    Compaq Tru64 UNIX S/W is not vulnerable.
> > >
> > > FreeBSD
> > >
> > >    FreeBSD does not include LPRng in the base system. Older versions of
> > >    FreeBSD included a vulnerable version of LPRng in the Ports
> > > Collection but this was corrected almost 2 months ago, prior to the
> > > release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56
> > >   
> > > (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lp
> > > rng.asc) for more information.
> > >
> > > Hewlett-Packard Company
> > >
> > >    This does not apply to HP; HP does not ship LPRng on HP-UX.
> > >
> > > IBM
> > >
> > >    IBM's AIX operating system is not vulnerable to this security
> > > exploit.
> > >
> > > Microsoft Corporation
> > >
> > >    Microsoft doesn't use LPRng in any of its products, so no Microsoft
> > >    products are affected by the vulnerability.
> > >
> > > NetBSD
> > >
> > >    NetBSD does not include LPRng in the base system; however we do have
> > > a third-party package of LPRng-3.6.8 which is vulnerable. There's work
> > > underway to upgrade it to a non-vulnerable version.
> > >
> > > OpenBSD
> > >
> > >    OpenBSD does not ship lprng.
> > >
> > > RedHat
> > >
> > >    LPRng Version 3.6.24 and earlier is vulnerable.
> > >
> > >    See RHSA-2000:065-04 at:
> > >
> > >           http://www.redhat.com/support/errata/RHSA-2000-065-06.html
> > >
> > > SGI
> > >
> > >    IRIX does not contain LPRng support.
> > >
> > > SuSE
> > >
> > >    SuSE is not vulnerable. Please see additional comments at:
> > >
> > >          
> > > http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
> > >
> > > References
> > >
> > >     1. VU#382365: LPRng can pass user-supplied input as a format string
> > >        parameter to syslog() calls, CERT/CC, 10/06/2000,
> > >        https://www.kb.cert.org/vuls/id/382365
> > >    _________________________________________________________________
> > >
> > >    The CERT Coordination Center thanks Chris Evans for his initial
> > > report on the vulnerability described in this advisory.
> > >    _________________________________________________________________
> > >
> > >    Author: This document was written by Jeffrey S Havrilla. Feedback on
> > >    this advisory is appreciated.
> > >   
> > > ______________________________________________________________________
> > >
> > >    This document is available from:
> > >    http://www.cert.org/advisories/CA-2000-22.html
> > >   
> > > ______________________________________________________________________
> > >
> > > CERT/CC Contact Information
> > >
> > >    Email: cert@cert.org
> > >           Phone: +1 412-268-7090 (24-hour hotline)
> > >           Fax: +1 412-268-6989
> > >           Postal address:
> > >           CERT Coordination Center
> > >           Software Engineering Institute
> > >           Carnegie Mellon University
> > >           Pittsburgh PA 15213-3890
> > >           U.S.A.
> > >
> > >    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
> > > EDT(GMT-4) Monday through Friday; they are on call for emergencies
> > > during other hours, on U.S. holidays, and on weekends.
> > >
> > > Using encryption
> > >
> > >    We strongly urge you to encrypt sensitive information sent by email.
> > >    Our public PGP key is available from
> > >
> > >    http://www.cert.org/CERT_PGP.key
> > >
> > >    If you prefer to use DES, please call the CERT hotline for more
> > >    information.
> > >
> > > Getting security information
> > >
> > >    CERT publications and other security information are available from
> > >    our web site
> > >
> > >    http://www.cert.org/
> > >
> > >    To subscribe to the CERT mailing list for advisories and bulletins,
> > >    send email to majordomo@cert.org. Please include in the body of your
> > >    message
> > >
> > >    subscribe cert-advisory
> > >
> > >    * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > >    Patent and Trademark Office.
> > >   
> > > ______________________________________________________________________
> > >
> > >    NO WARRANTY
> > >    Any material furnished by Carnegie Mellon University and the
> > > Software Engineering Institute is furnished on an "as is" basis.
> > > Carnegie Mellon University makes no warranties of any kind, either
> > > expressed or implied as to any matter including, but not limited to,
> > > warranty of fitness for a particular purpose or merchantability,
> > > exclusivity or results obtained from use of the material. Carnegie
> > > Mellon University does not make any warranty of any kind with respect
> > > to freedom from patent, trademark, or copyright infringement.
> > >    _________________________________________________________________
> > >
> > >    Conditions for use, disclaimers, and sponsorship information
> > >
> > >    Copyright 2000 Carnegie Mellon University.
> > >
> > >    Revision History
> > > 	Dec 12, 2000: Initial Release
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP for Personal Privacy 5.0
> > > Charset: noconv
> > >
> > > iQCVAwUBOjYxtAYcfu8gsZJZAQEp/wP/Zo5uIe1y9vbTEmQz6CtlkLaejrEzzRua
> > > eBakIkIz5CzLKL3+zMFsmTaC306fgFnOcV3lz9NmAzNLg8mqFZYruaTTVuTeY0Yg
> > > +QTWG6DngiqH8ttKV91MjPGZZFpUWahVvVk+xUU/fLCMoc9FAUAenYoOfuduD9nO
> > > w8+1WAtQPUs=
> > > =bNBX
> > > -----END PGP SIGNATURE-----
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
Reply to:
Follow-Ups:
- Re: lprng
  - From: "V. Achiaga" <sidboy37@casal.upc.es>
References:
- Re: lprng
  - From: Ron Rademaker <ron@wep10a-1.wep.tudelft.nl>
Prev by Date: Re: lprng
Next by Date: port-scanning. advise?
Previous by thread: Re: lprng
Next by thread: Re: lprng
Index(es):
- Date
- Thread